diff --git a/pkg/aa/file.go b/pkg/aa/file.go index fb533ae4..c83322e8 100644 --- a/pkg/aa/file.go +++ b/pkg/aa/file.go @@ -15,7 +15,7 @@ func FileFromLog(log map[string]string) ApparmorRule { return &File{ Qualifier: NewQualifierFromLog(log), Path: log["name"], - Access: maskToAccess[log["requested_mask"]], + Access: toAccess(log["requested_mask"]), Target: log["target"], } } diff --git a/pkg/aa/mqueue.go b/pkg/aa/mqueue.go index a092b656..03a52bdf 100644 --- a/pkg/aa/mqueue.go +++ b/pkg/aa/mqueue.go @@ -23,7 +23,7 @@ func MqueueFromLog(log map[string]string) ApparmorRule { } return &Mqueue{ Qualifier: NewQualifierFromLog(log), - Access: maskToAccess[log["requested"]], + Access: toAccess(log["requested"]), Type: mqueueType, Label: log["label"], Name: log["name"], diff --git a/pkg/aa/ptrace.go b/pkg/aa/ptrace.go index 1224676b..5603a24b 100644 --- a/pkg/aa/ptrace.go +++ b/pkg/aa/ptrace.go @@ -13,7 +13,7 @@ type Ptrace struct { func PtraceFromLog(log map[string]string) ApparmorRule { return &Ptrace{ Qualifier: NewQualifierFromLog(log), - Access: maskToAccess[log["requested_mask"]], + Access: toAccess(log["requested_mask"]), Peer: log["peer"], } } diff --git a/pkg/aa/signal.go b/pkg/aa/signal.go index 2d98b60d..3dbf9e16 100644 --- a/pkg/aa/signal.go +++ b/pkg/aa/signal.go @@ -14,7 +14,7 @@ type Signal struct { func SignalFromLog(log map[string]string) ApparmorRule { return &Signal{ Qualifier: NewQualifierFromLog(log), - Access: maskToAccess[log["requested_mask"]], + Access: toAccess(log["requested_mask"]), Set: log["signal"], Peer: log["peer"], } diff --git a/pkg/aa/template.go b/pkg/aa/template.go index 59b049c0..616969fd 100644 --- a/pkg/aa/template.go +++ b/pkg/aa/template.go @@ -30,39 +30,19 @@ var ( tmplAppArmorProfile = generateTemplate() // convert apparmor requested mask to apparmor access mode - // TODO: Should be a map of slice, not exhaustive yet - maskToAccess = map[string]string{ - "a": "w", - "ac": "w", - "c": "w", - "create": "create", - "d": "w", - "delete": "delete", - "getattr": "getattr", - "k": "k", - "l": "l", - "m": "rm", - "open": "open", - "r": "r", - "ra": "rw", - "read write": "read write", - "read": "read", - "readby": "readby", - "receive": "receive", - "rm": "rm", - "rw": "rw", - "send receive": "send receive", - "send": "send", - "setattr": "setattr", - "w": "w", - "wc": "w", - "wd": "w", - "wk": "wk", - "wr": "rw", - "wrc": "rw", - "wrd": "rw", - "write": "write", - "x": "rix", + requestedMaskToAccess = map[string]string{ + "a": "w", + "ac": "w", + "c": "w", + "d": "w", + "m": "rm", + "ra": "rw", + "wc": "w", + "wd": "w", + "wr": "rw", + "wrc": "rw", + "wrd": "rw", + "x": "rix", } // The order the apparmor rules should be sorted @@ -168,3 +148,10 @@ func getLetterIn(alphabet []string, in string) string { } return "" } + +func toAccess(mask string) string { + if requestedMaskToAccess[mask] != "" { + return requestedMaskToAccess[mask] + } + return mask +} diff --git a/pkg/aa/unix.go b/pkg/aa/unix.go index 432e678c..3c353579 100644 --- a/pkg/aa/unix.go +++ b/pkg/aa/unix.go @@ -20,7 +20,7 @@ type Unix struct { func UnixFromLog(log map[string]string) ApparmorRule { return &Unix{ Qualifier: NewQualifierFromLog(log), - Access: maskToAccess[log["requested_mask"]], + Access: toAccess(log["requested_mask"]), Type: log["sock_type"], Protocol: log["protocol"], Address: log["addr"],